In its third annual assessment of the privacy practise of companies, the Deloitte Privacy Index 2017 revealed a disconnect between what organisations do and what their employees want them to do. Marta Ganko examines the findings.
Deloitte surveyed the ASX 100 organisations, as well as top non-listed consumer brands, to determine the quality of their care of customers’ data.
Given that 43 per cent of the 1,000 surveyed employees of these organisations revealed they do not know if their organisation had a data breach policy, there is a lot more to do.
Key points from this year’s Deloitte Privacy Index 2017 are:
• Financial services have the best privacy governance and least risk taking followed by government organisations;
• The highest ranking industries have a privacy officer,regular privacy training, and require 3rd parties to notify them in the event of a likely data breach;
• 91 per cent of organisations believe their organisation could be more transparent with consumers about how their information is used;
• 58 per cent of employees believe that regulatory compliance is more important to their organisation than building trust with customers (36 per cent); and
• 59 per cent of organisations believe they are neglecting to build trust with their employees.
As most organisations now have website privacy policies, security controls and mobile apps that are open and transparent to consumers, our focus this year was to see if there was any difference between what organisations believe is happening, and what their employees actually do when it comes to protecting data, and honouring customer privacy.
An organisation may feel for example, it has all its privacy boxes ticked and all its policies and procedures in place. Yet many employees circumvent these processes, and find what they consider to be ‘easier’ ways of doing things. Even if ‘adequate’ monitoring processes are in place.
To find out more we asked more than 1,000 employees of the top Australian organisations for their opinions of their organisation’s privacy practices, and in particular their expectations of trust, complaints and information handling.
A key finding was that 40 per cent of the employee respondents said they only received privacy training at induction or on an ad hoc basis. And 91 per cent of organisations believe their organisation could be more transparent with consumers about how their information is used.
Almost 60 per cent of organisations also say they should do more to build trust with their employees.
We explored whether training and policies translate into compliant behaviours; and if not, what to do about it. The survey also revealed that bundled consent, Terms & Conditions, or privacy policies, cannot be relied on to manage information.
Given this ‘could do better’ rating, plus the future direction for organisations both here and around the world, for individuals to have greater controls over the collection and sharing of their data, we have a big challenge if we are to build the trust, develop resilience and create an environment of real consumer and business confidence.
Open data provisions are already enacted in other parts of the world, including the European Union. The two salient directives are the Revised Payment Services Directive (PSD2) and the General Data Protection Regulations (GDPR).
In early 2018 customers in the UK will have the option to share information about how they operate their bank account with organisations. They will expect an enhanced banking experience, with comparison and switching services to help them identify their best financial products.
The new rules state that banks must create open APIs so that customer data can be shared between organisations and be incorporated into third party applications in a common, consistent format.
In Australia, the recent budget announcements also flagged the introduction of open banking, aimed at reforming the perceived competitive inequality between the major and second tier banks.
This will create an imperative for open, transparent management of customers’ data by the banks and continue to shine the spotlight on privacy practices.
Some of the 2017 Privacy Index specific findings for the Financial Services sector do show a number of pluses for the sector from the consumer perspective. However, there are some significant issues that do need to be addressed. For instance, the findings raise questions about whether, when almost 60 per cent of employees in the sector are unlikely to share their passwords, the other 40 per cent in fact do.
From the consumer perspective
• Employees in FS tend to have multiple passwords across various websites, so less risk is transferred to the organisations they work for as they are more likely to have a different password across various work applications;
• Almost 81 per cent have never allowed a work colleague to use their work password;
• 95 per cent would report if a customer’s information was used or disclosed inappropriately;
• However, 37 per cent believe their organisation does not have a data breach procedure or don’t know if their organisation has a data breach procedure;
• Almost 60 per cent of employees are unlikely to share their passwords; and
• Almost 58 per cent never use email to transfer personal data about individuals
From the organisation’s perspective
• All FS organisations feel comfortable their staff members would report misuse or unauthorised disclosure of information;
• All FS organisations have a data breach response plan;
• However, we can see from above, that 37 per cent of staff do not know, or do not think there is a data breach response procedure;
• 67 per cent of organisations review their party management of data on contract review;
• 17 per cent do not review third party management of personal information at all;
• All have a formal Privacy Impact Assessment process;
• 67 per cent of organisations have undertaken a formal exercise to develop a privacy strategy:
- Of these 50 per cent have refreshed the strategy in the last 12 months
- For 75 per cent of the 67 per cent that had a formal privacy strategy, the primary focus behind the strategy was to build trust with customers, not compliance.
• 84 per cent believe that privacy obligations positively impact on consumer experience.
Although most of the findings are positive there is absolutely no room for complacency.
Across all sectors the most trusted industries in the Deloitte Australia Privacy Index 2017 are:
As the Australian Privacy Commissioner Timothy Pilgrim said (see note 1): “Simply put, a successful data-driven economy needs a strong foundation in privacy …When there is transparency in how personal information is used, it gives individuals clarity, choice and confidence that their privacy rights are being respected.”
Marta Ganko leads Deloitte’s Privacy Index and is a director, risk advisory, Deloitte.
1 Speech delivered at Crowne Plaza, Canberra, 16 November 2016